Over a year ago when I was considering my first Android phone purchase I setup a test account on my mail server so that I could test email clients on phones and tablets. I used a short password because I didn’t want to type a lot on small screens and because typing a password into a random system owned by someone else isn’t particularly secure anyway. Then I forgot about the account until I noticed that my mail server was sending out spam.
Next time I setup such a test account I’ll put rules similar to the following in my Postfwd  configuration to stop Postfix from sending such messages. That will prevent the test account from receiving mail from outside or sending mail out of the server. The former is optional (getting a few thousand spam messages in an unused test account is no big deal) but the latter is needed to prevent getting my server blacklisted.
id=R_test_recipient ; firstname.lastname@example.org ; email@example.com ; action=REJECT
id=R_test_sender ; firstname.lastname@example.org ; email@example.com ; action=REJECT